Anomaly and ransomware detection

ABSTRACT

Some examples relate generally to computer architecture software for information security and, in some more particular aspects, to machine learning based on changes in snapshot metadata for anomaly and ransomware detection in a file system.

FIELD

The present disclosure relates generally to computer architecturesoftware for information security and, in some more particular aspects,to machine learning on snapshot metadata for anomaly and ransomwaredetection in a file system.

BACKGROUND

Ransomware has become a major cyber-security threat over the past fewyears. It is estimated to have cost enterprises upwards of $5 billion indamages annually. A significant issue in failing to detect ransomware isthe prevalent use by data security vendors of signature-based approachesto malware detection. While this approach may be effective for somemalware detection, it is not as reliable for ransomware detectionbecause it is easy for a bad actor to release a new variant ofransomware with a different signature and thereby escape detection. Somenewer data security products have introduced machine learning-basedbehavioral analysis to combat this signature modification, but theseapproaches can be computationally expensive, particularly in aproduction environment.

SUMMARY

Some examples described in this disclosure leverage machine learning todetect anomalies and ransomware on data backups with little or no impacton production systems. The design of some examples is based on ahybrid-cloud architecture for maximal computational scaling. Suchexamples take advantage of snapshot metadata computed by enterprisebackup systems to minimize computational overhead while deliveringhigh-precision prediction results. In some examples, significantcomputational processing is offloaded to a cloud-basedsoftware-as-a-service (SaaS) platform to further reduce computationalstress placed on a primary machine being backed up.

In an example embodiment, an anomaly and ransomware detection system isprovided. The system may comprise: a storage device configured to storea base file or snapshot of a primary machine; and one or more processorsin communication with the storage device and a production system, theone or more processors configured to perform anomaly and ransomwareoperations including, at least: taking a first snapshot of a primarymachine; storing the first snapshot in the storage device; taking asecond snapshot of the primary machine; storing the second snapshot inthe storage device; identifying changes in filesystem metadata based onthe first and second snapshots; generating training data based on thechanges in the filesystem metadata; and training one or moremachine-learning models using the training data.

In some examples, the storage device is a backup storage device and theidentified changes are sourced from a backup system that includes thebackup storage device. In some examples, the anomaly and ransomwaredetection operations are performed without impacting the productionsystem. In some examples, at least some of the anomaly and ransomwaredetection operations are offloaded to a cloud-basedsoftware-as-a-service platform. In some examples, the one or moremachine-learning models include an anomaly model and/or an encryptionmodel. In some examples, the training of the one or moremachine-learning models is based on training data derived solely on thesnapshot-based metadata.

In another example embodiment, an anomaly and ransomware detectionsystem may comprise: a storage device configured to store a base file orsnapshot of a primary machine; and one or more processors incommunication with the storage device and a production system, the oneor more processors configured to perform anomaly and ransomwaredetection operations including, at least: taking a first snapshot of aprimary machine; storing the first snapshot in the storage device;taking a second snapshot of the primary machine; storing the secondsnapshot in the storage device; generating or accessing a duff FMD file(as described below) including filesystem metadata based at leastpartially on a difference between the first and second snapshots;generating training data based on the filesystem metadata; and trainingone or more machine-learning models using the training data.

In some examples, the storage device is a backup storage device and thegenerated or accessed metadata is received from a backup system thatincludes the backup storage device. In some examples, the anomaly andransomware detection operations are performed without impacting theproduction system. In some examples, at least some of the anomaly andransomware detection operations are offloaded to a cloud-basedsoftware-as-a-service platform. In some examples, the one or moremachine-learning models include an anomaly model and/or an encryptionmodel. In some examples, the training of the one or moremachine-learning models is based on training data derived solely on thesnapshot-based metadata.

In yet another example embodiment, a filesystem metadata augmentationtechnique (FMAT) system is provided. The system may comprise a memory;and one or more processors configured to perform training dataaugmentation operations including, at least: generating or accessing anormal diff FMD file sampled from a first seed dataset and sampling acertain number of lines (according to some probability distribution)from the diff FMD file; generating or accessing a prototype diff filesampled from a second seed dataset and sampling a certain number oflines according to a probability distribution from the prototypical diffFMD file; creating a new diff FMD file containing the lines sampled fromeach of the two aforementioned diff FMD files; and repeating to create anew diff DAD file for every diff FMD file in the first seed dataset togenerate or augment training data for one or more machine-learningmodels.

In some examples, the first seed dataset corresponds to a negativetarget class. In some examples, the second dataset corresponds to apositive target class. In some examples, the training data augmentationoperations are performed by a backup system without impacting productionoperations in a production system served by the backup system. In someexamples, at least some of the training data augmentation operations areoffloaded by the FMAT system to a cloud-based computing platform. Insome examples, the one or more machine-learning models include ananomaly model and/or an encryption model.

DESCRIPTION OF THE DRAWINGS

Some embodiments are illustrated by way of example and not limitation inthe figures of the accompanying drawings:

FIG. 1 depicts one embodiment of a networked computing environment inwhich the disclosed technology may be practiced, according to an exampleembodiment.

FIG. 2 depicts one embodiment of the server in FIG. 1, according to anexample embodiment.

FIG. 3 depicts one embodiment of the storage appliance 170 in FIG. 1,according to an example embodiment.

FIG. 4 depicts a high-level overview of example ransomware detectionsoftware architecture, according to an example embodiment.

FIG. 5 depicts example workflow operations in an anomaly and ransomware(encryption) detection pipeline, according to an example embodiment.

FIG. 6 depicts a ransomware classification, according to an exampleembodiment.

FIG. 7 depicts a categorization of an anomaly and ransomware detectionpipeline, according to an example embodiment.

FIG. 8 depicts example contents of a diff FMD file, according to anexample embodiment.

FIG. 9 depicts example contents of an RST file, according to an exampleembodiment.

FIG. 10 depicts a flow chart showing operations in a training dataaugmentation method, according to an example embodiment.

FIG. 11 depicts an example application of FMAT to generate trainingdata, according to an example embodiment.

FIGS. 12-14 each depict a block flow chart indicating example operationsin a method of the present disclosure, according to an exampleembodiment.

FIG. 15 depicts a block diagram illustrating an example of a softwarearchitecture that may be installed on a machine, according to someexample embodiments.

FIG. 16 depicts a block diagram 1600 illustrating an architecture ofsoftware 1602, according to an example embodiment.

FIG. 17 illustrates a diagrammatic representation of a machine 1700 inthe form of a computer system within which a set of instructions may beexecuted for causing a machine to perform any one or more of themethodologies discussed herein, according to an example embodiment.

DESCRIPTION

The description that follows includes systems, methods, techniques,instruction sequences, and computing machine program products thatembody illustrative embodiments of the present disclosure. In thefollowing description, for purposes of explanation, numerous specificdetails are set forth in order to provide a thorough understanding ofexample embodiments. It will be evident, however, to one skilled in theart that the present subject matter may be practiced without thesespecific details.

A portion of the disclosure of this patent document contains materialthat is subject to copyright protection. The copyright owner has noobjection to the facsimile reproduction by anyone of the patent documentor the patent disclosure, as it appears in the Patent and TrademarkOffice patent files or records, but otherwise reserves all copyrightrights whatsoever. The following notice applies to the software and dataas described below and in the drawings that form a part of thisdocument: Copyright Rubrik, Inc., 2018-2019, All Rights Reserved.

FIG. 1 depicts one embodiment of a networked computing environment 100in which the disclosed technology may be practiced. As depicted, thenetworked computing environment 100 includes a data center 150, astorage appliance 140, and a computing device 154 in communication witheach other via one or more networks 180. The networked computingenvironment 100 may also include a plurality of computing devicesinterconnected through one or more networks 180. The one or morenetworks 180 may allow computing devices and/or storage devices toconnect to and communicate with other computing devices and/or otherstorage devices. In some cases, the networked computing environment mayinclude other computing devices and/or other storage devices not shown.The other computing devices may include, for example, a mobile computingdevice, a non-mobile computing device, a server, a work-station, alaptop computer, a tablet computer, a desktop computer, or aninformation processing system. The other storage devices may include,for example, a storage area network storage device, a networked-attachedstorage device, a hard disk drive (HDD), a solid-state drive (SSD), or adata storage system.

The data center 150 may include one or more servers, such as server 160,in communication with one or more storage devices, such as storagedevice 156. The one or more servers may also be in communication withone or more storage appliances, such as storage appliance 170. Theserver 160, storage device 156, and storage appliance 170 may be incommunication with each other via a networking fabric connecting serversand data storage units within the data center to each other. The storageappliance 170 may include a data management system for backing upvirtual machines and/or files within a virtualized infrastructure. Theserver 160 may be used to create and manage one or more virtual machinesassociated with a virtualized infrastructure.

The one or more virtual machines may run various applications, such as adatabase application or a web server. The storage device 156 may includeone or more hardware storage devices for storing data, such as a harddisk drive (HDD), a magnetic tape drive, a solid-state drive (SSD), astorage area network (SAN) storage device, or a Network Attached Storage(NAS) device. In some cases, a data center, such as data center 150, mayinclude thousands of servers and/or data storage devices incommunication with each other. The one or more data storage devices 156may comprise a tiered data storage infrastructure (or a portion of atiered data storage infrastructure). The tiered data storageinfrastructure may allow for the movement of data across different tiersof a data storage infrastructure between higher-cost, higher-performancestorage devices (e.g., solid-state drives and hard disk drives) andrelatively lower-cost, lower-performance storage devices (e.g., magnetictape drives).

The one or more networks 180 may include a secure network such as anenterprise private network, an unsecure network such as a wireless opennetwork, a local area network (LAN), a wide area network (WAN), and theInternet. The one or more networks 180 may include a cellular network, amobile network, a wireless network, or a wired network. Each network ofthe one or more networks 180 may include hubs, bridges, routers,switches, and wired transmission media such as a direct-wiredconnection. The one or more networks 180 may include an extranet orother private network for securely sharing information or providingcontrolled access to applications or files.

A server, such as server 160, may allow a client to download informationor files (e.g., executable, text, application, audio, image, or videofiles) from the server or to perform a search query related toparticular information stored on the server, In some cases, a server mayact as an application server or a file server. In general, a server 160may refer to a hardware device that acts as the host in a client-serverrelationship or a software process that shares a resource with orperforms work for one or more clients.

One embodiment of server 160 includes a network interface 165, processor166, memory 167, disk 168, and virtualization manager 169 all incommunication with each other. Network interface 165 allows server 160to connect to one or more networks 180. Network interface 165 mayinclude a wireless network interface and/or a wired network interface.Processor 166 allows server 160 to execute computer readableinstructions stored in memory 167 in order to perform processesdescribed herein. Processor 166 may include one or more processingunits, such as one or more CPUs and/or one or more GPUs. Memory 167 maycomprise one or more types of memory (e.g., RAM, SRAM, DRAM, ROM,EEPROM, Flash, etc. Disk 168 may include a HDD and/or a SSD. Memory 167and disk 168 may comprise hardware storage devices.

The virtualization manager 169 may manage a virtualized infrastructureand perform management operations associated with the virtualizedinfrastructure. The virtualization manager 169 may manage theprovisioning of virtual machines running within the virtualizedinfrastructure and provide an interface to computing devices interactingwith the virtualized infrastructure. In one example, the virtualizationmanager 169 may set a virtual machine having a virtual disk into afrozen state in response to a snapshot request made via an applicationprogramming interface (API) by a storage appliance, such as storageappliance 170. Setting the virtual machine into a frozen state may allowa point in time snapshot of the virtual machine to be stored ortransferred. In one example, updates made to a virtual machine that hasbeen set into a frozen state may be written to a separate file (e.g., anupdate file) while the virtual disk may be set into a read-only state toprevent modifications to the virtual disk file while the virtual machineis in the frozen state.

The virtualization manager 169 may then transfer data associated withthe virtual machine (e.g., an image of the virtual machine or a portionof the image of the virtual disk file associated with the state of thevirtual disk at the point in time is was frozen) to a storage appliance(for example, a storage appliance 140 or 170 of FIG. 1, describedfurther below) in response to a request made by the storage appliance.After the data associated with the point in time snapshot of the virtualmachine has been transferred to the storage appliance 170 (for example),the virtual machine may be released from the frozen state (i.e.,unfrozen) and the updates made to the virtual machine and stored in theseparate file may be merged into the virtual disk file. Thevirtualization manager 169 may perform various virtual machine relatedtasks, such as cloning virtual machines, creating new virtual machines,monitoring the state of virtual machines, moving virtual machinesbetween physical hosts for load balancing purposes, and facilitatingbackups of virtual machines.

One embodiment of a storage appliance 170 (or 140) includes a networkinterface 175, processor 176, memory 177, and disk 178 all incommunication with each other. Network interface 175 allows storageappliance 170 to connect to one or more networks 180. Network interface175 may include a wireless network interface and/or a wired networkinterface. Processor 176 allows storage appliance 170 to executecomputer readable instructions stored in memory 177 in order to performprocesses described herein. Processor 176 may include one or moreprocessing units, such as one or more CPUs and/or one or more GPUs.Memory 177 may comprise one or more types of memory (e.g., RAM, SRAM,DRAM, ROM, EEPROM, NOR Flash, NAND Flash, etc.). Disk 178 may include aHHD and/or a SSD. Memory 177 and disk 178 may comprise hardware storagedevices.

In one embodiment, the storage appliance 170 may include four machines.Each of the four machines may include a multi-core CPU, 64 GB of RAM, a400 GB SSD, three 4 TB HDDs, and a network interface controller. In thiscase, the four machines may be in communication with the one or morenetworks 180 via the four network interface controllers. The fourmachines may comprise four nodes of a server cluster. The server clustermay comprise a set of physical machines that are connected together viaa network. The server cluster may be used for storing data associatedwith a plurality of virtual machines, such as backup data associatedwith different points in time versions of the virtual machines.

The networked computing environment 100 may provide a cloud computingenvironment for one or more computing devices. Cloud computing may referto Internet-based computing, wherein shared resources, software, and/orinformation may be provided to one or more computing devices on-demandvia the Internet. The networked computing environment 100 may comprise acloud computing environment providing SaaS orInfrastructure-as-a-Service (IaaS) services. SaaS may refer to asoftware distribution model in which applications are hosted by aservice provider and made available to end users over the Internet. Inone embodiment, the networked computing environment 100 may include avirtualized infrastructure that provides software, data processing,and/or data storage services to end users accessing the services via thenetworked computing environment 100. In one example, networked computingenvironment 100 may provide cloud-based work productivity orbusiness-related applications to a computing device, such as computingdevice 154. The storage appliance 140 may comprise a cloud-based datamanagement system for backing up virtual machines and/or files within avirtualized infrastructure, such as virtual machines running on server160 or files stored on server 160.

In some cases, networked computing environment 100 may provide remoteaccess to secure applications and files stored within data center 150from a remote computing device, such as computing device 154. The datacenter 150 may use an access control application to manage remote accessto protected resources, such as protected applications, databases, orfiles located within the data center. To facilitate remote access tosecure applications and fifes, a secure network connection may beestablished using a virtual private network (VPN). A VPN connection mayallow a remote computing device, such as computing device 154, tosecurely access data from a private network (e.g., from a company fileserver or mail server) using an unsecure public network or the Internet.The VPN connection may require client-side software (e.g., running onthe remote computing device) to establish and maintain the VPNconnection. The VPN client software may provide data encryption andencapsulation prior to the transmission of secure private networktraffic through the Internet.

In some embodiments, the storage appliance 170 may manage the extractionand storage of virtual machine snapshots associated with different pointin time versions of one or more virtual machines running within the datacenter 150. A snapshot of a virtual machine may correspond with a stateof the virtual machine at a particular point in time. In response to arestore command from the server 160, the storage appliance 170 mayrestore a point in time version of a virtual machine or restore point intime versions of one or more files located on the virtual machine andtransmit the restored data to the server 160. In response to a mountcommand from the server 160, the storage appliance 170 may allow a pointin time version of a virtual machine to be mounted and allow the server160 to read and/or modify data associated with the point in time versionof the virtual machine. To improve storage density, the storageappliance 170 may deduplicate and compress data associated withdifferent versions of a virtual machine and/or deduplicate and compressdata associated with different virtual machines. To improve systemperformance, the storage appliance 170 may first store virtual machinesnapshots received from a virtualized environment in a cache, such as aflash-based cache. The cache may also store popular data or frequentlyaccessed data (e.g., based on a history of virtual machine restorations,incremental files associated with commonly restored virtual machineversions) and current day incremental files or incremental filescorresponding with snapshots captured within the past 24 hours.

An incremental file may comprise a forward incremental file or a reverseincremental file. A forward incremental file may include a set of datarepresenting changes that have occurred since an earlier point in timesnapshot of a virtual machine. To generate a snapshot of the virtualmachine corresponding with a forward incremental file, the forwardincremental file may be combined with an earlier point in time snapshotof the virtual machine (e.g., the forward incremental tile may becombined with the last full image of the virtual machine that wascaptured before the forward incremental file was captured and any otherforward incremental files that were captured subsequent to the last fullimage and prior to the forward incremental file). A reverse incrementalfile may include a set of data representing changes from a later pointin time snapshot of a virtual machine. To generate a snapshot of thevirtual machine corresponding with a reverse incremental file, thereverse incremental file may be combined with a later point in timesnapshot of the virtual machine (e.g., the reverse incremental file maybe combined with the most recent snapshot of the virtual machine and anyother reverse incremental files that were captured prior to the mostrecent snapshot and subsequent to the reverse incremental file).

The storage appliance 170 may provide a user interface (e.g., aweb-based interface or a graphical user interface (GUI)) that displaysvirtual machine backup information such as identifications of thevirtual machines protected and the historical versions or time machineviews for each of the virtual machines protected. A time machine view ofa virtual machine may include snapshots of the virtual machine over aplurality of points in time. Each snapshot may comprise the state of thevirtual machine at a particular point in time. Each snapshot maycorrespond with a different version of the virtual machine (e.g.,Version 1 of a virtual machine may correspond with the state of thevirtual machine at a first point in time and Version 2 of the virtualmachine may correspond with the state of the virtual machine at a secondpoint in time subsequent to the first point in time).

The user interface may enable an end user of the storage appliance 170(e.g., a system administrator or a virtualization administrator) toselect a particular version of a virtual machine to be restored ormounted. When a particular version of a virtual machine has beenmounted, the particular version may be accessed by a client (e.g., avirtual machine, a physical machine, or a computing device) as if theparticular version was local to the client. A mounted version of avirtual machine may correspond with a mount point directory (e.g.,/snapshots/VM5Nersion23). In one example, the storage appliance 170 mayrun an NFS server and make the particular version (or a copy of theparticular version) of the virtual machine accessible for reading and/orwriting. The end user of the storage appliance 170 may then select theparticular version to be mounted and run an application (e.g., a dataanalytics application) using the mounted version of the virtual machine.In another example, the particular version may be mounted as an iSCSItarget.

FIG. 2 depicts one embodiment of server 160 in FIG. 1. The server 160may comprise one server out of a plurality of servers that are networkedtogether within a data center. In one example, the plurality of serversmay be positioned within one or more server racks within the datacenter. As depicted, the server 160 includes hardware-level componentsand software-level components. The hardware-level components include oneor more processors 182, one or more memories 184, and one or more disks185. The software-level components include a hypervisor 186, avirtualized infrastructure manager 199, and one or more virtualmachines, such as virtual machine 198. The hypervisor 186 may comprise anative hypervisor or a hosted hypervisor. The hypervisor 186 may providea virtual operating platform for running one or more virtual machines,such as virtual machine 198. Virtual machine 198 includes a plurality ofvirtual hardware devices including a virtual processor 192, a virtualmemory 194, and a virtual disk 195. The virtual disk 195 may comprise afile stored within the one or more disks 185. In one example, a virtualmachine 198 may include a plurality of virtual disks 195, with eachvirtual disk of the plurality of virtual disks associated with adifferent file stored on the one or more disks 185. Virtual machine 198may include a guest operating system 196 that runs one or moreapplications, such as application 197.

The virtualized infrastructure manager 199, which may correspond withthe virtualization manager 169 in FIG. 1, may run on a virtual machineor natively on the server 160. The virtual machine may, for example, beor include the virtual machine 198 or a virtual machine separate fromthe server 160. Other arrangements are possible. The virtualizedinfrastructure manager 199 may provide a centralized platform formanaging a virtualized infrastructure that includes a plurality ofvirtual machines. The virtualized infrastructure manager 199 may managethe provisioning of virtual machines running within the virtualizedinfrastructure and provide an interface to computing devices interactingwith the virtualized infrastructure. The virtualized infrastructuremanager 199 may perform various virtualized infrastructure relatedtasks, such as cloning virtual machines, creating new virtual machines,monitoring the state of virtual machines, and facilitating backups ofvirtual machines.

In one embodiment, the server 160 may use the virtualized infrastructuremanager 199 to facilitate backups for a plurality of virtual machines(e.g., eight different virtual machines) running on the server 160. Eachvirtual machine running on the server 160 may run its own guestoperating system and its own set of applications. Each virtual machinerunning on the server 160 may store its own set of files using one ormore virtual disks associated with the virtual machine (e.g., eachvirtual machine may include two virtual disks that are used for storingdata associated with the virtual machine).

In one embodiment, a data management application running on a storageappliance, such as storage appliance 140 in FIG. 1 or storage appliance170 in FIG. 1, may request a snapshot of a virtual machine running onserver 160. The snapshot of the virtual machine may be stored as one ormore files, with each file associated with a virtual disk of the virtualmachine. A snapshot of a virtual machine may correspond with a state ofthe virtual machine at a particular point in time. The particular pointin time may be associated with a timestamp. In one example, a firstsnapshot of a virtual machine may correspond with a first state of thevirtual machine (including the state of applications and files stored onthe virtual machine) at a first point in time and a second snapshot ofthe virtual machine may correspond with a second state of the virtualmachine at a second point in time subsequent to the first point in time.

In response to a request for a snapshot of a virtual machine at aparticular point in time, the virtualized infrastructure manager 199 mayset the virtual machine into a frozen state or store a copy of thevirtual machine at the particular point in time. The virtualizedinfrastructure manager 199 may then transfer data associated with thevirtual machine (e.g., an image of the virtual machine or a portion ofthe image of the virtual machine) to the storage appliance. The dataassociated with the virtual machine may include a set of files includinga virtual disk file storing contents of a virtual disk of the virtualmachine at the particular point in time and a virtual machineconfiguration file storing configuration settings for the virtualmachine at the particular point in time. The contents of the virtualdisk file may include the operating system used by the virtual machine,local applications stored on the virtual disk, and user files (e.g.,images and word processing documents). In some cases, the virtualizedinfrastructure manager 199 may transfer a full image of the virtualmachine to the storage appliance 140 or 170 of FIG. 1 or a plurality ofdata blocks corresponding with the full image (e.g., to enable a fullimage-level backup of the virtual machine to be stored on the storageappliance). In other cases, the virtualized infrastructure manager 199may transfer a portion of an image of the virtual machine associatedwith data that has changed since an earlier point in time prior to theparticular point in time or since a last snapshot of the virtual machinewas taken. In one example, the virtualized infrastructure manager 199may transfer only data associated with virtual blocks stored on avirtual disk of the virtual machine that have changed since the lastsnapshot of the virtual machine was taken. In one embodiment, the datamanagement application may specify a first point in time and a secondpoint in time and the virtualized infrastructure manager 199 may outputone or more virtual data blocks associated with the virtual machine thathave been modified between the first point in time and the second pointin time.

In some embodiments, the server 160 may or the hypervisor 186 maycommunicate with a storage appliance, such as storage appliance 140 inFIG. 1 or storage appliance 170 in FIG. 1, using a distributed filesystem protocol such as NFS Version 3 or Server Message Block (SMB)protocol. The distributed file system protocol may allow the server 160or the hypervisor 186 to access, read, write, or modify files stored onthe storage appliance as if the files were locally stored on the server.The distributed file system protocol may allow the server 160 or thehypervisor 186 to mount a directory or a portion of a file systemlocated within the storage appliance.

FIG. 3 depicts one embodiment of storage appliance 170 in FIG. 1. Thestorage appliance may include a plurality of physical machines that maybe grouped together and presented as a single computing system. Eachphysical machine of the plurality of physical machines may comprise anode in a cluster (e.g., a failover cluster). In one example, thestorage appliance may be positioned within a server rack within a datacenter. As depicted, the storage appliance 170 includes hardware-levelcomponents and software-level components. The hardware-level componentsinclude one or more physical machines, such as physical machine 120 andphysical machine 130. The physical machine 120 includes a networkinterface 121, processor 122, memory 123, and disk 124 all incommunication with each other. Processor 122. allows physical machine120 to execute computer readable instructions stored in memory 123 toperform processes described herein. Disk 124 may include a HDD and/or aSSD. The physical machine 130 includes a network interface 131,processor 132, memory 133, and disk 134 all in communication with eachother. Processor 132 allows physical machine 130 to execute computerreadable instructions stored in memory 133 to perform processesdescribed herein. Disk 134 may include a HDD and/or a SSD. In somecases, disk 134 may include a flash-based SSD or a hybrid HDD/SSD drive.In one embodiment, the storage appliance 170 may include a plurality ofphysical machines arranged in a cluster (e.g., eight machines in acluster). Each of the plurality of physical machines may include aplurality of multi-core CPUs, 108 GB of RAM, a 500 GB SSD, four 4 TBHDDs, and a network interface controller.

In some embodiments, the plurality of physical machines may be used toimplement a cluster-based network fileserver. The cluster-based networkfile server may neither require nor use a front-end load balancer. Oneissue with using a front-end load balancer to host the IP address forthe cluster-based network file server and to forward requests to thenodes of the cluster-based network file server is that the front-endload balancer comprises a single point of failure for the cluster-basednetwork file server. In some cases, the file system protocol used by aserver, such as server 160 in FIG. 1, or a hypervisor, such ashypervisor 186 in FIG. 2, to communicate with the storage appliance 170may not provide a failover mechanism (e.g., NIS Version 3). In the casethat no failover mechanism is provided on the client side, thehypervisor may not be able to connect to a new node within a cluster inthe event that the node connected to the hypervisor fails.

In some embodiments, each node in a cluster may be connected to eachother via a network and may be associated with one or more IP addresses(e.g., two different IP addresses may be assigned to each node). In oneexample, each node in the cluster may be assigned a permanent IP addressand a floating IP address and may be accessed using either the permanentIP address or the floating IP address. In this case, a hypervisor, suchas hypervisor 186 in FIG. 2, may be configured with a first floating IPaddress associated with a first node in the cluster. The hypervisor mayconnect to the cluster using the first floating IP address. In oneexample, the hypervisor may communicate with the cluster using the NFSVersion 3 protocol. Each node in the cluster may run a Virtual RouterRedundancy Protocol (VRRP) daemon. A daemon may comprise a backgroundprocess. Each VRRP daemon may include a list of all floating IPaddresses available within the cluster. In the event that the first nodeassociated with the first floating IP address fails, one of the VRRPdaemons may automatically assume or pick up the first floating IPaddress if no other VRRP daemon has already assumed the first floatingIP address. Therefore, if the first node in the cluster fails orotherwise goes down, then one of the remaining VRRP daemons running onthe other nodes in the cluster may assume the first floating IP addressthat is used by the hypervisor for communicating with the cluster.

In order to determine which of the other nodes in the cluster willassume the first floating IP address, a VRRP priority may beestablished. In one example, given a number (N) of nodes in a clusterfrom node(0) to node(N-1), for a floating IP address (i), the VRRPpriority of nodeG) may be G-i) modulo N. In another example, given anumber (N) of nodes in a cluster from node(0) to node(N-1), for afloating IP address (i), the VRRP priority of nodeG) may be (i-j) moduloN. In these cases, nodeG) will assume floating IP address (i) only ifits VRRP priority is higher than that of any other node in the clusterthat is alive and announcing itself on the network. Thus, if a nodefails, then there may be a clear priority ordering for determining whichother node in the cluster will take over the failed node's floating IPaddress.

In some cases, a cluster may include a plurality of nodes and each nodeof the plurality of nodes may be assigned a different floating IPaddress. In this case, a first hypervisor may be configured with a firstfloating IP address associated with a first node in the cluster, asecond hypervisor may be configured with a second floating IP addressassociated with a second node in the cluster, and a third hypervisor maybe configured with a third floating IP address associated with a thirdnode in the cluster.

As depicted in FIG. 3, the software-level components of the storageappliance 170 may include data management system 102, a virtualizationinterface 104, a distributed job scheduler 108, a distributed metadatastore 110, a distributed file system 112, and one or more virtualmachine search indexes, such as virtual machine search index 106. In oneembodiment, the software-level components of the storage appliance 170may be run using a dedicated hardware-based appliance. In anotherembodiment, the software-level components of the storage appliance 170may be run from the cloud (e.g., the software-level components may beinstalled on a cloud service provider).

In some cases, the data storage across a plurality of nodes in a clusterthe data storage available from the one or more physical machines) maybe aggregated and made available over a single file system namespace(e.g., /snapshots/). A directory for each virtual machine protectedusing the storage appliance 170 may be created (e.g., the directory forVirtual Machine A may be /snapshots/VM_A). Snapshots and other dataassociated with a virtual machine may reside within the directory forthe virtual machine. In one example, snapshots of a virtual machine maybe stored in subdirectories of the directory (e.g., a first snapshot ofVirtual Machine A may reside in /snapshots/VM_A/s1/ and a secondsnapshot of Virtual Machine A may reside in /snapshots/VM_A/s2/).

The distributed file system 112 may present itself as a single filesystem, in which, as new physical machines or nodes are added to thestorage appliance 170, the cluster may automatically discover theadditional nodes and automatically increase the available capacity ofthe file system for storing files and other data. Each file stored inthe distributed file system 112 may be partitioned into one or morechunks or shards. Each of the one or more chunks may be stored withinthe distributed file system 112 as a separate file. The files storedwithin the distributed file system 112 may be replicated or mirroredover a plurality of physical machines, thereby creating a load-balancedand fault tolerant distributed file system. In one example, storageappliance 170 may include ten physical machines arranged as a failovercluster, and a first file corresponding with a snapshot of a virtualmachine (e.g., /snapshots/VM_A/s1/s1.full) may be replicated and storedon three of the ten machines.

The distributed metadata store 110 may include a distributed databasemanagement system that provides high availability without a single pointof failure. In one embodiment, the distributed metadata store 110 maycomprise a database, such as a distributed document-oriented database.The distributed metadata store 110 may be used as a distributed keyvalue storage system. In one example, the distributed metadata store 110may comprise a distributed NoSQL key value store database. In somecases, the distributed metadata store 110 may include a partitioned rowstore, in which rows are organized into tables or other collections ofrelated data held within a structured format within the key value storedatabase. A table (or a set of tables) may be used to store metadatainformation associated with one or more files stored within thedistributed file system 112. The metadata information may include thename of a file, a size of the file, file permissions associated with thefile, when the file was last modified, and file mapping informationassociated with an identification of the location of the file storedwithin a cluster of physical machines. In one embodiment, a new filecorresponding with a snapshot of a virtual machine may be stored withinthe distributed file system 112 and metadata associated with the newfile may be stored within the distributed metadata store 110. Thedistributed metadata store 110 may also be used to store a backupschedule for the virtual machine and a list of snapshots for the virtualmachine that are stored using the storage appliance 170.

In some cases, the distributed metadata store 110 may be used to manageone or more versions of a virtual machine. Each version of the virtualmachine may correspond with a full image snapshot of the virtual machinestored within the distributed file system 112 or an incremental snapshotof the virtual machine (e.g., a forward incremental or reverseincremental) stored within the distributed file system 112. In oneembodiment, the one or more versions of the virtual machine maycorrespond with a plurality of files. The plurality of files may includea single full image snapshot of the virtual machine and one or moreincremental aspects derived from the single frill image snapshot. Thesingle full image snapshot of the virtual machine may be stored using afirst storage device of a first type (e.g., an HDD) and the one or moreincremental aspects derived from the single full image snapshot may bestored using a second storage device of a second type (e.g., an SSD). Inthis case, only a single full image needs to be stored and each versionof the virtual machine may be generated from the single full image orthe single full image combined with a subset of the one or moreincremental aspects. Furthermore, each version of the virtual machinemay be generated by performing a sequential read from the first storagedevice (e.g., reading a single file from an HDD) to acquire the fullimage and, in parallel, performing one or more reads from the secondstorage device (e.g., performing fast random reads from an SSD) toacquire the one or more incremental aspects.

The distributed job scheduler 108 may be used for scheduling backup jobsthat acquire and store virtual machine snapshots for one or more virtualmachines over time. The distributed job scheduler 108 may follow abackup schedule to backup an entire image of a virtual machine at aparticular point in time or one or more virtual disks associated withthe virtual machine at a particular point in time. In one example, thebackup schedule may specify that the virtual machine be backed up at asnapshot capture frequency, such as every two hours or every 24 hours.Each backup job may be associated with one or more tasks to be performedin a sequence. Each of the one or more tasks associated with a job maybe run on a particular node within a cluster. In some cases, thedistributed job scheduler 108 may schedule a specific job to be run on aparticular node based on data stored on the particular node. Forexample, the distributed job scheduler 108 may schedule a virtualmachine snapshot job to be run on a node in a cluster that is used tostore snapshots of the virtual machine in order to reduce networkcongestion.

The distributed job scheduler 108 may comprise a distributed faulttolerant job scheduler, in which jobs affected by node failures arerecovered and rescheduled to be run on available nodes. In oneembodiment, the distributed job scheduler 108 may be fully decentralizedand implemented without the existence of a master node. The distributedjob scheduler 108 may run job scheduling processes on each node in acluster or on a plurality of nodes in the cluster. In one example, thedistributed job scheduler 108 may run a first set of job schedulingprocesses on a first node in the cluster, a second set of job schedulingprocesses on a second node in the cluster, and a third set of jobscheduling processes on a third node in the cluster. The first set ofjob scheduling processes, the second set of job scheduling processes,and the third set of job scheduling processes may store informationregarding jobs, schedules, and the states of jobs using a metadatastore, such as distributed metadata store 110. In the event that thefirst node running the first set of job scheduling processes fails(e.g., due to a network failure or a physical machine failure), thestates of the jobs managed by the first set of job scheduling processesmay fail to be updated within a threshold period of time (e.g., a jobmay fail to be completed within 30 seconds or within minutes from beingstarted). In response to detecting jobs that have failed to be updatedwithin the threshold period of time, the distributed job scheduler 108may undo and restart the failed jobs on available nodes within thecluster.

The job scheduling processes running on at least a plurality of nodes ina cluster (e.g., on each available node in the cluster) may manage thescheduling and execution of a plurality of jobs. The job schedulingprocesses may include run processes for running jobs, cleanup processesfor cleaning up failed tasks, and rollback processes for rolling-back orundoing any actions or tasks performed by failed jobs. In oneembodiment, the job scheduling processes may detect that a particulartask for a particular job has failed and in response may perform acleanup process to dean up or remove the effects of the particular taskand then perform a rollback process that processes one or more completedtasks for the particular job in reverse order to undo the effects of theone or more completed tasks. Once the particular job with the failedtask has been undone, the job scheduling processes may restart theparticular job on an available node in the cluster.

The distributed job scheduler 108 may manage a job in which a series oftasks associated with the job are to be performed atomically (i.e.,partial execution of the series of tasks is not permitted). If theseries of tasks cannot be completely executed or there is any failurethat occurs to one of the series of tasks during execution (e.g., a harddisk associated with a physical machine fails or a network connection tothe physical machine fails), then the state of a data management systemmay be returned to a state as if none of the series of tasks were everperformed. The series of tasks may correspond with an ordering of tasksfor the series of tasks and the distributed job scheduler 108 may ensurethat each task of the series of tasks is executed based on the orderingof tasks. Tasks that do not have dependencies with each other may beexecuted in parallel.

In some cases, the distributed job scheduler 108 may schedule each taskof a series of tasks to be performed on a specific node in a cluster. Inother cases, the distributed job scheduler 108 may schedule a first taskof the series of tasks to be performed on a first node in a cluster anda second task of the series of tasks to be performed on a second node inthe cluster. In these cases, the first task may have to operate on afirst set of data (e.g., a first file stored in a file system) stored onthe first node and the second task may have to operate on a second setof data metadata related to the first file that is stored in a database)stored on the second node. In some embodiments, one or more tasksassociated with a job may have an affinity to a specific node in acluster.

In one example, if the one or more tasks require access to a databasethat has been replicated on three nodes in a cluster, then the one ormore tasks may be executed on one of the three nodes. In anotherexample, if the one or more tasks require access to multiple chunks ofdata associated with a virtual disk that has been replicated over fournodes in a cluster, then the one or more tasks may be executed on one ofthe four nodes. Thus, the distributed job scheduler 108 may assign oneor more tasks associated with a job to be executed on a particular nodein a cluster based on the location of data to be accessed by the one ormore tasks.

In one embodiment, the distributed job scheduler 108 may manage a firstjob associated with capturing and storing a snapshot of a virtualmachine periodically (e.g., every 30 minutes). The first job may includeone or more tasks, such as communicating with a virtualizedinfrastructure manager, such as the virtualized infrastructure manager199 in FIG. 2, to create a frozen copy of the virtual machine and totransfer one or more chunks (or one or more tiles) associated with thefrozen copy to a storage appliance, such as storage appliance 170 inFIG. 1. The one or more tasks may also include generating metadata forthe one or more chunks, storing the metadata using the distributedmetadata store 110, storing the one or more chunks within thedistributed file system 112, and communicating with the virtualizedinfrastructure manager 199 that the frozen copy of the virtual machinemay be unfrozen or released from a frozen state. The metadata for afirst chunk of the one or more chunks may include information specifyinga version of the virtual machine associated with the frozen copy, a timeassociated with the version (e.g., the snapshot of the virtual machinewas taken at 5:30 p.m. on Jun. 29, 2018), and a file path to where thefirst chunk is stored within the distributed file system 112 (e.g., thefirst chunk is located at /snapshotsNM_B/s1/s1.chunk1). The one or moretasks may also include deduplication, compression (e.g., using alossless data compression algorithm such as LZ4 or LZ77), decompression,encryption (e.g., using a symmetric key algorithm such as Triple DES orAES-256), and decryption related tasks.

The virtualization interface 104 may provide an interface forcommunicating with a virtualized infrastructure manager managing avirtualization infrastructure, such as virtualized infrastructuremanager 199 in FIG. 2, and requesting data associated with virtualmachine snapshots from the virtualization infrastructure. Thevirtualization interface 104 may communicate with the virtualizedinfrastructure manager using an API for accessing the virtualizedinfrastructure manager (e.g., to communicate a request for a snapshot ofa virtual machine). In this case, storage appliance 170 may request andreceive data from a virtualized infrastructure without requiring agentsoftware to be installed or running on virtual machines within thevirtualized infrastructure. The virtualization interface 104 may requestdata associated with virtual blocks stored on a virtual disk of thevirtual machine that have changed since a last snapshot of the virtualmachine was taken or since a specified prior point in time. Therefore,in some cases, if a snapshot of a virtual machine is the first snapshottaken of the virtual machine, then a full image of the virtual machinemay be transferred to the storage appliance. However, if the snapshot ofthe virtual machine is not the first snapshot taken of the virtualmachine, then only the data blocks of the virtual machine that havechanged since a prior snapshot was taken may be transferred to thestorage appliance.

The virtual machine search index 106 may include a list of files thathave been stored using a virtual machine and a version history for eachof the files in the list. Each version of a file may be mapped to theearliest point in time snapshot of the virtual machine that includes theversion of the file or to a snapshot of the virtual machine thatincludes the version of the file (e.g., the latest point in timesnapshot of the virtual machine that includes the version of the file).In one example, the virtual machine search index 106 may he used toidentify a version of the virtual machine that includes a particularversion of a file (e.g., a particular version of a database, aspreadsheet, or a word processing document). In some cases, each of thevirtual machines that are backed up or protected using storage appliance170 may have a corresponding virtual machine search index.

In one embodiment, as each snapshot of a virtual machine is ingested,each virtual disk associated with the virtual machine is parsed in orderto identify a file system type associated with the virtual disk and toextract metadata (e.g., file system metadata) for each file stored onthe virtual disk. The metadata may include information for locating andretrieving each file from the virtual disk. The metadata may alsoinclude a name of a file, the size of the file, the last time at whichthe file was modified, and a content checksum for the file. Each filethat has been added, deleted, or modified since a previous snapshot wascaptured may be determined using the metadata (e.g., by comparing thetime at which a file was last modified with a time associated with theprevious snapshot). Thus, for every file that has existed within any ofthe snapshots of the virtual machine, a virtual machine search index maybe used to identify when the file was first created (e.g., correspondingwith a first version of the file) and at what times the file wasmodified (e.g., corresponding with subsequent versions of the file).Each version of the file may be mapped to a particular version of thevirtual machine that stores that version of the file.

In some cases, if a virtual machine includes a plurality of virtualdisks, then a virtual machine search index may be generated for eachvirtual disk of the plurality of virtual disks. For example, a firstvirtual machine search index may catalog and map files located on afirst virtual disk of the plurality of virtual disks and a secondvirtual machine search index may catalog and map files located on asecond virtual disk of the plurality of virtual disks. In this case, aglobal file catalog or a global virtual machine search index for thevirtual machine may include the first virtual machine search index andthe second virtual machine search index. A global file catalog may bestored for each virtual machine backed up by a storage appliance withina file system, such as distributed file system 112 in FIG. 3.

The data management system 102 may comprise an application running onthe storage appliance that manages and stores one or more snapshots of avirtual machine. In one example, the data management system 102 maycomprise a highest-level layer in an integrated software stack runningon the storage appliance. The integrated software stack may include thedata management system 102, the virtualization interface 104, thedistributed job scheduler 108, the distributed metadata store 110, andthe distributed file system 112.

In some cases, the integrated software stack may run on other computingdevices, such as a server or computing device 154 in FIG. 1. The datamanagement system 102 may use the virtualization interface 104, thedistributed job scheduler 108, the distributed metadata store 110, andthe distributed file system 112 to manage and store one or moresnapshots of a virtual machine. Each snapshot of the virtual machine maycorrespond with a point in time version of the virtual machine. The datamanagement system 102 may generate and manage a list of versions for thevirtual machine. Each version of the virtual machine may map to orreference one or more chunks and/or one or more files stored within thedistributed file system 112. Combined together, the one or more chunksand/or the one or more files stored within the distributed file system112 may comprise a fa image of the version of the virtual machine.

A high-level overview of example anomaly and ransomware detectionsoftware architecture 400 is shown in FIG. 4. As mentioned above, someexample anomaly and ransomware detection systems described hereinleverage machine learning to detect anomalies and ransomware on databackups with little or no impact on production systems. Ransomware maybe characterized by an encryption profile in some instances. Someexample anomaly and ransomware detection systems or applications of thepresent disclosure include or are based on a hybrid-cloud architectureto enable computational scaling. Some examples utilize snapshot metadatacomputed by a data backup system to minimize computational overheadwhile delivering high-precision prediction results. In some examples,significant computational processing is offloaded to a cloud-based SaaSplatform to reduce computational stress placed on a primary machinebeing backed up.

Example workflow operations in an overview of an example anomaly andransomware detection pipeline 500 are shown in FIG. 5. The pipeline 500may include first and second machine learning systems in some examples.In the illustrated example, a filesystem metadata diff (diff FMD) file502 is created by a data backup system (for example, overseen by thevirtualization manager 169 described further above) whenever a snapshotis taken for a primary machine. The diff FMD file 502 contains a list ofentries 504 corresponding to files that have been created, deleted, ormodified, and may include a log of all file changes that have takenplace on the primary machine.

In some examples, one or more diff FMD files 502 are used as trainingdata by a first machine learning system that may include a featurevectorization module 506 and an anomaly machine-learning (ML) model 508to generate an anomaly. prediction 510. The generated anomaly prediction510 is communicated at 512 to a front-end web user interface 526 of aSaaS platform (for example, as described above). In some examples, thecomponents illustrated in the anomaly and ransomware detection pipeline500 operate only on snapshot metadata and not production data orinfrastructure, and hence have minimal effect (if any) on a productionsystem.

Furthermore, in some examples, instead of running the workflow pipeline500 on the data backup system, the data backup system uploads the diffFMD files 502 to the SaaS platform to be processed by a pipelineresiding in the cloud. In this arrangement, not only is there minimalimpact on primary machine production, but very limited impact on theperformance of associated backup and recovery jobs.

In the illustrated workflow pipeline example, if a filesystem anomaly isdetected by the first machine learning system, a request 514 is made tothe data backup system to initiate a second stage of the workflowpipeline 500. During this second stage, the data backup system performsan entropy scan 516 for all files that have changed on the primarymachine since the last snapshot was taken. The results are saved to afile (for example, a ransomware SSTable 518). The file is then uploadedto the SaaS platform for further processing by a second machine learningsystem. The second machine learning system includes a featurevectorization module 520 and an encryption model 522 trained to predictransomware encryption events. The second machine learning systemaccesses and processes the SSTable 518 in the file to determine whethera ransomware infection event has occurred on the primary machine. Anencryption prediction 524 is communicated at 528 to the web front-end ofthe SaaS platform 526.

By adopting a two-stage analysis architecture that ingests and processessnapshot metadata for anomaly and ransomware detection, the ransomwaredetection pipeline 500 can scale up with ease, even for a clustercontaining hundreds of thousands of primary machines. In some examples,as discussed, the components in the anomaly and ransomware detectionpipeline 500 include two machine-learning models. The anomaly detectionmodel 508 may be implemented using a deep neural network (DNN), and theencryption detection model 522 may be implemented using a logisticregression model (LRM).

In some examples, both machine learning models 508 and 522 are trainedusing supervised learning, which may include presenting labelled data tothe machine learning models as training data. Sufficient and appropriatelabelled data is typically keenly sought as a key aspect of accuratetraining and may be especially significant for real-world applications.In order to train a well-calibrated model, it may be desirable to buildta well-balanced labelled dataset that consists of a. roughly equalproportion of data points corresponding to “normal” filesystem behaviorand data points corresponding to “anomalous” and/or ransomware“encryption” activity.

Although the existence of ransomware presents an ever-increasing threat,the collection of the requisite labelled data may be difficult as theoccurrence of ransomware encryption in a snapshot is statistically rarein a production environment. This renders a production environment anunreliable source for collecting data points corresponding to ransomwareevents. In order to address this short-coming in the data sourcingprocess, some examples herein include or are based on a FMAT. A FMATaddresses data scarcity problems and can enable the building ofsignificantly more complex machine learning models.

In some examples, a MAT operates by repeatedly sampling metadata filesfrom a seed corpus and merging them according to a pre-definedheuristic. The merging process “simulates” ransomware activity for agiven snapshot, without the expensive overhead of actually setting up amachine to run ransomware infection experiments. This technique ishighly scalable and can be applied across millions of snapshots togenerate sufficient data to train the machine learning models 508 and522 in example ransomware detection systems. In some FMAT examples, itis possible to synthesize a well-balanced dataset containing millions ofdata points from both positive and negative classes for machinelearning. Moreover, the creation of such datasets can take place in amatter of hours rather than weeks or months as is typically the case formost data collection processes.

A typical scenario for a system infected with ransomware may begin witha user accidently downloading ransomware onto their filesystem. The usermay accidentally or unknowingly execute malware masked as a harmless PDFdocument in an email attachment, for example. The ransomware thenquickly encrypts a large number of documents in the user's filesystemwith the decryption key hidden to the user. In most instances, the userwill not know that they have been infected with ransomware until theyattempt to open an encrypted file. Given the static nature of mostfilesystems, it is quite possible for ransomware to remain undiscoveredfor a significant period of time. This observation is also indicative ofthe fact that when a ransomware infection does occur, the event may becharacterized by a sudden burst of activity in terms of the absolutenumber of files in the system that are created, deleted, and modified.

With reference to FIG. 6, it may be useful in this regard to categorizecertain classes of ransomware to gain a deeper understanding of aspectsof the present disclosure. A conceptual description for each of theseexample classes is provided according to the classification 600 shown inthe view. Class A ransomware overwrites the content of a file viaencryption, with a possible renaming of the file. Class B ransomwareextends Class A and moves files out of a user directory to a temporarydirectory, encrypts the files in the temporary directory, then movesthem back. The file name may be changed during the move. Class Cransomware creates a new, independent, encrypted file. The original fileis deleted or overwritten. It may be noted that each of these ransomwareclasses may share a high degree of overlap in terms of ransomwarebehavior. An example situation might include ransomware which bothencrypts files by overwriting them and encrypts files by creating newones and deleting the original file. Some example anomaly and ransomwaredetection pipelines may include a goal of being able to detect all threeransomware classes both independently and jointly.

To this end, certain factors may be utilized in anomaly and ransomwaredetection based on machine learning. A first factor may include anobservation that most directories in a filesystem remain static overtime, marked by sudden periods of high activity. Given that ransomwaretends to run relatively quickly across a short period of time, it may besufficient to simply examine the entropy changes of the files modifiedin a filesystem in order to detect an infection. This factor may improvescalability significantly, since it allows a ransomware detectionpipeline to examine only the partial contents of a filesystem forransomware.

A second factor may include an observation that ransomware encryption ina snapshot is a statistically rare event. In particular, the majority ofsnapshots will consist of little to no changes to the underlying machinebeing backed up. Thus, it is possible to make significant savings incomputational processing by scanning only for ransomware on filesystemsthat show a non-trivial likelihood of being infected.

With reference to FIG. 7, these factors allow the configuration orcategorization 700 of an anomaly and ransomware detection pipelinecomprising two stages. A first stage, which may be referred to as aFilesystem Behavior Analysis stage, includes a computationally “cheap”scan of filesystem metadata to detect and identify a first set ofanomalous snapshot changes 702. A second stage, which may be referred toas a Filesystem Content Analysis stage, includes a relatively moreexpensive scan of the actual filesystem contents to detect and identifya second set 704 of malicious encryption events. An intersection of sets702 and 704 may include a prediction set 706 of likely ransomwareinfection events that may be further investigated. By adopting atwo-stage anomaly-encryption detection architecture for anomaly andransomware detection, an example detection pipeline can be built toscale across millions of machines.

An example first stage (Filesystem Behavior Analysis) performs apreliminary analysis for anomalous events by examining the changes inthe filesystem since a previous snapshot, typically the last snapshot.This stage is initiated by the upload of a diff FMD file from a databackup system as discussed above. The diff FMD file is a metadata filethat lists the files that have changed in a filesystem since the lastsnapshot. These diff FMD files tend to be relatively small and are about1 or 2 kilobytes in size when represented in a binary encoding. Anexample of some filesystem metadata 800 in a cliff FMD file is shown inhuman-readable format in FIG. 8.

The diff FMD file may be uploaded to a SaaS platform (for example, asdescribed above), where it is used, for example, by the first machinelearning system to predict for anomalies. In one example, a detection ofa large number of files being added to or moved around a directory maybe indicative of an anomaly such as a malware or ransomware infection.The computation carried out during this stage is relatively lightweightand highly scalable since it is primarily ingesting the file changestatistics since the last snapshot, rather than the full snapshotitself. Thus the necessary data processing to predict anomalies is veryfast.

In the course of taking a snapshot on a primary machine, for example,taken by a data backup system, the system mounts that snapshot andcrawls the filesystem of the mounted machine. FMD is generated duringthe crawling step and the metadata file specifies the structure of thefilesystem along with a set of metadata attributes for each file withinit (such as the file path or file size).

As discussed above more generally, once the FMD file has been generated,it is compared with the FMD file from the previous snapshot to compute aduff FMD file, for example diff FMD file 502. In FIG. 5. This diff FMD502 contains a list of entries corresponding to files that have beencreated, deleted, or modified, and may include a complete log of thefile changes that have taken place on the backup. The diff FMDs (asopposed to conventional FMDs) are ingested by the first machine learningsystem (for example, modules or models 506 and 508) to produce aninitial anomaly prediction 510. By modelling the anomaly detectionproblem using a deep neural network, the system is able to make highlyaccurate predictions on whether an anomalous event has occurred in a newsnapshot. A high level of accuracy may be crucial during this firststage (Filesystem Behavior Analysis), since the subsequent encryptiondetection stage (Filesystem Content Analysis) is only triggered when ananomaly is detected during the first stage. Thus, in some examples, itis important that the anomaly and ransomware detection pipeline 500 iscapable of flagging any suspicious changes that may have been made by abad actor.

One benefit of using a deep learning approach for anomaly detection isthat the neural network model is capable of learning its own set offeatures when given the raw features from the data. This reduces theneed for expensive hand-engineering of the features by an engineer orscientist. Thus, in some examples, certain feature vectors exposed tothe deep learning model may include many raw statistics computed from adiff FMD file. Some examples of these statistics may include: fileoperation statistics such as the number of files created, deleted, andmodified since the last snapshot, user activity metrics corresponding tofiles that have been changed by the user, system activity metricscorresponding to files that have been changed by the operating system orsoftware running on the machine, and suspicious activity metricscorresponding to the number of files with suspicious names.

During training, the neural network learns a set of high-level featuresbuilt on top of these low-level features to internally represent thesnapshot changes. For example, the neural network may be able to inferthat a ransomware encryption event has occurred from the fact that alarge number of office documents has been modified or deleted in thesystem. These high-level features learned by the neural network enablesit to ultimately predict what type of activity has occurred on theprimary machine and whether this activity warrants an anomaly alert.

The second stage (Filesystem Content Analysis) is primarily responsiblefor detecting encryption activity made by ransomware and is initiatedwhen an anomaly is detected by the anomaly detection model duringfilesystem behavior analysis. File encryption by ransomware tends to becharacterized by a sharp increase in file entropy. Some examples detectwhether a malicious encryption event has occurred by computing anentropy value for files that have changed since the last snapshot andevaluating these entropy readings using a machine learning model.Although analyzing the entropy of the file content may be effectivetowards detecting encryption activity, this is also a computationallyexpensive procedure that requires reading the binary contents of a file.Thus, in some examples, this stage is only triggered in the event of ananomaly alert raised by the initial anomaly detection stage.

In this regard, aspects of computing a ransomware SSTable for a fileentropy are now described. When an anomaly is detected by a machinelearning model, running on a SaaS platform, for example, a request ismade to the data backup system to initiate the second stage of theransomware detection pipeline. During this second stage, the data backupsystem performs an entropy scan for all the files that have changed onthe primary machine since the last snapshot. The computed file entropyvalues are stored in a ransomware SSTable (RST) file (for example,ransomware SSTable 518 of FIG. 5), which is uploaded to the SaaSplatform to be processed by a ransomware (encryption) detection pipeline(assuming that an anomaly was detected during the first stage). Theransomware (encryption) detection pipeline may include modules or models520 and 522 of FIG. 5. An example RST file may contain entropy valuesfor files that have been added or modified since the last snapshot wastaken. Entropy values may be computed by calculating a Shannon entropyfor the first 512 bytes (or more generally some number (N)) of the file.Example ransomware SStable content 900 of an RST file is shown in FIG.9.

Once the RST file has been uploaded, it is processed by the ransomwaredetection pipeline to predict whether a ransomware encryption eventoccurred on the primary machine. The ransomware detection pipeline willingest the RST file to compute a set of features corresponding toentropy values on various sets of files on the primary machine. Thesefeatures are then fed into the encryption detection model (for example,the encryption detection model 522 of FIG. 5) to identify encryptionactivity. In some examples, the encryption detection model is alsoimplemented using machine learning similar to the anomaly detectionmodel. The underlying implementation uses LRM. The LRM is favored forits simplicity and scalability and is robust against noise in the data.The encryption detection model may be trained using supervised learningsimilar to the anomaly detection model.

Example features for predicting ransomware encryption events are nowdescribed. A set of features used for encryption detection (for example,set 704) may be relatively small when compared with a set of featuresused for anomaly detection (for example, set 702). Generally speaking,features of interest for encryption detection include: entropystatistics corresponding to the change in entropy levels detected in thebackup, file operation statistics such as the number of files createdand modified since the last snapshot, and suspicious activity metricscorresponding to the number of files with suspicious naming patterns.These features may assist in determining whether a malicious encryptionevent has occurred on the primary machine. These basic statistics do notrequire additional feature engineering, since they are already highlycorrelated with the encryption signal. Consequently, a LogisticRegression model works effectively for encryption detection when giventhese features.

As mentioned above, the collection of “real” labelled data for machinelearning may be time intensive and difficult. Use cases for labelleddata may be two-fold: first, labelled data provides a learning input fora model during training and, second, provides a measure of the expectedaccuracy in production during testing. Without labelled data, thechallenge of developing an effective machine learning model is high.Moreover, the volume and type of labelled data collected should accountfor the complexity of the machine learning problem.

Some examples herein obtain labelled data “artificially” by simulatingthe existence of ransomware within a development machine such as avirtual machine (VM). But some simulation approaches may neverthelessremain costly and not scale well for reasons that may include thefollowing. Many ransomware samples sourced from the Internet, forexample, are “dead-on-arrival” and will not run within a simulationenvironment. Moreover, ransomware behavior is sporadic andunpredictable. Running a sample of live ransomware is in itself achallenging task. The behavior of ransomware is unpredictable and theresults from running ransomware varies from simulation to simulation. Onsome occasions, the ransomware will run within minutes and encrypt awhole host of directories on files. Yet on other occasions, it mayremain static for long periods of time and only encrypt a small numberof files. Further, a prototypical customer machine filesystem (i.e.,susceptible or capable of having a snapshot taken of it or portions ofit) should be simulated to an appropriate degree of accuracy. Attemptingto simulate such an environment is technically complex given the widerange of possible machine environments that may exist in an array ofclusters, for example. Some users could be using a machine as an emailexchange server, whereas other users could be using their machines forrunning software builds. It is costly in terms of both computationalresources and development time to build a simulation engine that willsufficiently capture all the variations of machine environments that maybe desirable for machine learning.

For these reasons, simulating ransomware is typically a costly effort,which may unduly limit the number of data points that can be gathered.Some examples herein include or are based on an alternative approachthat is more cost-effective in terms of compute and development time.The approach may include data augmentation using snapshot metadata.

Data augmentation may provide a convenient alternative to gathering datacompared with more expensive approaches such as real or certainsimulation techniques. FIG. 10 depicts a high-level flow chart fortraining data augmentation in FMAT. When using FMAT to generate moreransomware infection data points, the seed dataset A will consist of“normal” data points, whereas the seed dataset B will consist of datapoints corresponding to ransomware “infections.” Metadata augmentationtechniques as part of FMAT can generate appropriately accurate anduseful quantities of labelled training data. This may allow the creationof significantly more complex machine learning models that materiallyimprove the accuracy of a ransomware or encryption detection pipeline.

Some example data augmentation examples may include or be based oncertain preconditions. A first example precondition may include theexistence of a seed dataset containing “normal” filesystem metadata.This may be needed to provide the initial negative samples forperforming data augmentation. A second precondition may include accessto prototype data examples of a desired positive class. A prototypeexample may serve as a seed data point for constructing the desiredpositive dataset. In the case of a SaaS platform, this example mightcorrespond to a snapshot metadata file containing the changes made by aransomware program.

Further, certain assumptions may be made in some examples of dataaugmentation in FMAT. These may be satisfied during an initial datacollection procedure. For example, hundreds of thousands of data pointsmay be processed on a weekly basis, with almost all of these data pointscorresponding to normal user filesystem activity that occurs on aregular basis. Thus, there exists a large volume of seed data points forconstructing a target normal dataset.

With reference to FIG. 11, an example application 1100 of FMAT togenerate training data for an anomaly detection model may include thefollowing operations. At operation 1102, for a given normal diff FMDfile sampled from the seed dataset A (without replacement), sample acertain number of lines from the diff FMD file. At operation 1104, for agiven prototype diff FMD file sampled from the seed dataset B (withoutreplacement), sample an additional number of lines from the prototypicaldiff FMD file, where the seed dataset B will generally be set tocorrespond to the positive target class. At operation 1106, create a newdiff FMD file containing the unique lines drawn from both of theaforementioned files. At operation 1108, repeat for every diff FMD filein the seed dataset A. A convenience or effectiveness of FMAT may bederived from its simplicity of application and an ability to repeatedlyapply it on existing and new data points.

Benefits of this FMAT approach include the creation of well-balanceddatasets. Datasets created using FMAT will typically contain awell-proportioned mixture of data examples from both the positive andnegative classes (i.e., diff FMD files). A diversified collection ofdiff FMD files containing changes from the prototype diff FMD iscreated. This enables a machine learning model to observe filesystemchanges contained in the prototype diff FMD under the context of a widevariety of snapshot changes. For example, if the prototype diff FMDcontained filesystem changes from a ransomware infection, FMAT willensure that these filesystem changes are observed by the machinelearning model alongside many other types of “normal” filesystemchanges. This helps to improve the model's ability to recognizeransomware behavior in a real-world environment.

In some examples, the application of FMAT will cause the dataset todouble in size. From an empirical standpoint, some examples apply a datapruning procedure after applying FMAT to remove noisy data points. Oneexample of an effective pruning procedure is to remove any augmenteddata point that is similar to data points in the seed datasets by usinga data similarity metric.

In some examples, it is also possible to apply FMAT on a dataset alreadyaugmented by FMAT. This may be desirable in cases where a very largedataset is needed to effectively train and test a model. Althoughrepeated applications of FMAT can grow the dataset at an exponentialrate, it can also introduce a significant source of noise in the datadue to the signal amplification effects of FMAT. Careful empiricaltesting and tuning is necessary when using FMAT in this setting.

Thus, in some examples, anomaly and ransomware detection is implementedusing a two-stage anomaly-encryption detection pipeline. A ransomwaredetection system can be built to scale infinitely by utilizing thesnapshot metadata inherently generated by a backup system for a primarymachine.

Both the anomaly and encryption detection models may be implementedusing machine learning methods. In some examples, the implementation forthe anomaly detection model utilizes deep learning approaches and isbased on a deep neural network trained using supervised learning. A deepneural network is capable of learning very sophisticated internalrepresentations built on top of raw representations for snapshotmetadata. This internal representation allows the model to make far moreaccurate anomaly predictions. In some examples, the encryption detectionmodel is implemented using a Logistic Regression model and is similarlytrained using supervised learning. Together, these two models form thebackbone of a machine learning pipeline in a ransomware detectionpipeline and may be used in conjunction towards anomaly and ransomwaredetection on snapshot metadata in a ransomware detection system.

Thus, some embodiments of the present disclosure include methods. Withreference to FIG. 12, an example method 1200 may be performed at ananomaly and detection system, the system including one or moreprocessors in communication with a storage device and a productionsystem, the one or more processors configured to perform anomaly andransomware operations including, at least: at operation 1202, taking afirst snapshot of a primary machine; at operation 1204, storing thefirst snapshot in the storage device; at operation 1206, taking a secondsnapshot of the primary machine; at operation 1208, storing the secondsnapshot in the storage device; at operation 1210, identifying changesin filesystem metadata based on the first and second snapshots; atoperation 1212, generating training data based on the changes in thefilesystem metadata; and, at operation 1214, training one or moremachine-learning models using the training data.

In some examples, the storage device is a backup storage device and theidentified changes are sourced from a backup system that includes thebackup storage device. In some examples, the anomaly and ransomwaredetection operations are performed without impacting the productionsystem. In some examples, at least some of the anomaly and ransomwaredetection operations are offloaded to a cloud-based SaaS platform. Insome examples, the one or more machine-learning models include ananomaly model and/or an encryption model. In some examples, the trainingof the one or more machine-learning models is based on training dataderived solely on the snapshot-based metadata.

With reference to FIG. 13, an example method 1300 may be performed at ananomaly and detection system, the system including one or moreprocessors in communication with a storage device and a productionsystem, the one or more processors configured to perform anomaly andransomware detection operations including, at least: at operation 1302,taking a first snapshot of a primary machine; at operation 1304, storingthe first snapshot in the storage device; at operation 1306, taking asecond snapshot of the primary machine; at operation 1308, storing thesecond snapshot in the storage device; at operation 1310, generating oraccessing a diff FMD file including filesystem metadata based at leastpartially on a difference between the first and second snapshots; atoperation 1312, generating training data based on the filesystemmetadata; and, at operation, 1314, training one or more machine-learningmodels using the training data.

In some examples, the storage device is a backup storage device and thegenerated or accessed metadata is received from a backup system thatincludes the backup storage device. In some examples, the anomaly andransomware detection operations are performed without impacting theproduction system. In some examples, at least some of the anomaly andransomware detection operations are offloaded to a cloud-based SaaSplatform. In some examples, the one or more machine-learning modelsincludes an anomaly model and/or an encryption model. In some examples,the training of the one or more machine-learning models is based ontraining data derived solely on the snapshot-based metadata.

With reference to FIG. 14, an example method 1400 may be performed by anFMAT system, the FMAT system including one or more processors configuredto training data augmentation operations including, at least: atoperation 1402, generating or accessing a normal diff FMD file sampledfrom a first seed dataset and sampling a certain number of linesaccording to a probability distribution from the diff FMD file; atoperation 1404, generating or accessing a prototype diff FMD filesampled from a second seed dataset and sampling a certain number oflines according to a probability distribution from the prototypical diffFMD file; at operation 1406, creating a new diff FMD file containing thelines sampled from each of the two aforementioned diff FMD files; and,at operation 1408, repeating to create a new diff FMD file for everydiff FMD file in the first seed dataset to generate or augment trainingdata for one or more machine-learning models.

In some examples, the first seed dataset corresponds to a negativetarget class. In some examples, the second dataset corresponds to apositive target class. In some examples, the training data augmentationoperations are performed by a backup system without impacting productionoperations in a production system served by the backup system. In someexamples, at least some of the training data augmentation operations areoffloaded by the FMAT system to a cloud-based computing platform. Insome examples, the one or more machine-learning models includes ananomaly model and/or an encryption model.

FIG. 15 is a block diagram illustrating an example of a computersoftware architecture for data classification and information securitythat may be installed on a machine, according to some exampleembodiments. FIG. 15 is merely a non-limiting example of a softwarearchitecture, and it will be appreciated that many other architecturesmay be implemented to facilitate the functionality described herein. Thesoftware architecture 1502 may be executing on hardware such as amachine 1600 of FIG. 16 that includes, among other things, processors1110, memory 1130, and I/O components 1150. A representative hardwarelayer 1504 of FIG. 15 is illustrated and can represent, for example, themachine 1700 of FIG. 17. The representative hardware layer 1504 of FIG.15 comprises one or more processing units 1506 having associatedexecutable instructions 1508. The executable instructions 1508 representthe executable instructions of the software architecture 1502, includingimplementation of the methods, modules, and so forth described herein.The hardware layer 1504 also includes memory or storage modules 1510,which also have the executable instructions 1508. The hardware layer1504 may also comprise other hardware 1512, which represents any otherhardware of the hardware layer 1504, such as the other hardwareillustrated as part of the machine 1500.

In the example architecture of FIG. 15, the software architecture 1502may be conceptualized as a stack of layers, where each layer providesparticular functionality. For example, the software architecture 1502may include layers such as an operating system 1514, libraries 1516,frameworks/middleware 1518, applications 1520, and a presentation layer1544. Operationally, the applications 1520 or other components withinthe layers may invoke API calls 1524 through the software stack andreceive a response, returned values, and so forth (illustrated asmessages 1526) in response to the API calls 1524. The layers illustratedare representative in nature, and not all software architectures haveall layers. For example, some mobile or special purpose operatingsystems may not provide a frameworks/middleware 1518 layer, while othersmay provide such a layer. Other software architectures may includeadditional or different layers.

The operating system 1514 may manage hardware resources and providecommon services. The operating system 1514 may include, for example, akernel 1528, services 1530, and drivers 1532. The kernel 1528 may act asan abstraction layer between the hardware and the other software layers.For example, the kernel 1528 may be responsible for memory management,processor management (e.g., scheduling), component management,networking, security settings, and so on. The services 1530 may provideother common services for the other software layers. The drivers 1532may be responsible for controlling or interfacing with the underlyinghardware. For instance, the drivers 1532 may include display drivers,camera drivers. Bluetooth® drivers, flash memory drivers, serialcommunication drivers (e.g., Universal Serial Bus (USB) drivers), Wi-Fi®drivers, audio drivers, power management drivers, and so forth dependingon the hardware configuration.

The libraries 1516 may provide a common infrastructure that may beutilized by the applications 1520 and/or other components and/or layers.The libraries 1516 typically provide functionality that allows othersoftware modules to perform tasks in an easier fashion than byinterfacing directly with the underlying operating system 1514functionality (e.g., kernel 1528, services 1530, or drivers 1532). Thelibraries 1516 may include system libraries 1534 (e.g., C standardlibrary) that may provide functions such as memory allocation functions,string manipulation functions, mathematic functions, and the like. Inaddition, the libraries 1516 may include API libraries 1536 such asmedia libraries (e.g., libraries to support presentation andmanipulation of various media formats such as MPEG4, H.264, MP3, AAC,AMR, JPG, PNG), graphics libraries (e.g., an OpenGL framework that maybe used to render 2D and 3D graphic content on a display), databaselibraries (e.g., SQLite that may provide various relational databasefunctions), web libraries (e.g., WebKit that may provide web browsingfunctionality), and the like. The libraries 1516 may also include a widevariety of other libraries 1538 to provide many other APIs to theapplications 1520 and other software components/modules.

The frameworks 1518 (also sometimes referred to as middleware) mayprovide a higher-level common infrastructure that may be utilized by theapplications 1520 or other software components/modules. For example, theframeworks 1518 may provide various GUI functions, high-level resourcemanagement, high-level location services, and so forth. The frameworks1518 may provide a broad spectrum of other APIs that may be utilized bythe applications 1520 and/or other software components/modules, some ofwhich may be specific to a particular operating system or platform.

The applications 1520 include built-in applications 1540 and/orthird-party applications 1542. Examples of representative built-inapplications 1540 may include, but are not limited to, a homeapplication, a contacts application, a browser application, a bookreader application, a location application, a media application, amessaging application, or a game application.

The third-party applications 1542 may include any of the built-inapplications 1540, as well as a broad assortment of other applications.In a specific example, the third-party applications 1542 (e.g., anapplication developed using the Android™ iOS™ software development kit(SDK) by an entity other than the vendor of the particular platform) maybe mobile software running on a mobile operating system such as iOS™,Android™, Windows® Phone, or other mobile operating systems. In thisexample, the third-party applications 1542 may invoke the API calls 1524provided by the mobile operating system such as the operating system1514 to facilitate functionality described herein.

The applications 1520 may utilize built-in operating system functions(e.g., kernel 1528, services 1530, or drivers 1532), libraries (e.g.,system 1534, APIs 1536, and other libraries 1538), orframeworks/middleware 1518 to create user interfaces to interact withusers of the system. Alternatively, or additionally, in some systems,interactions with a user may occur through a presentation layer, such asthe presentation layer 1544. In these systems, the application/module“logic” can be separated from the aspects of the application/module thatinteract with the user.

Some software architectures utilize virtual machines. In the example ofFIG. 15, this is illustrated by a virtual machine 1548. A virtualmachine creates a software environment where applications/modules canexecute as if they were executing on a hardware machine e.g., themachine 1700 of FIG. 17, for example). A virtual machine 1548 is hostedby a host operating system (e.g., operating system 1514) and typically,although not always, has a virtual machine monitor 1546, which managesthe operation of the virtual machine 1548 as well as the interface withthe host operating system (e.g., operating system 1514). A softwarearchitecture executes within the virtual machine 1548, such as anoperating system 1550, libraries 1552, frameworks/middleware 1554,applications 1556, or a presentation layer 1558. These layers ofsoftware architecture executing within the virtual machine 1548 can bethe same as corresponding layers previously described or may bedifferent.

FIG. 16 is a block diagram 1600 illustrating an architecture of software1602, which can be installed on any one or more of the devices describedabove. FIG. 16 is merely a non-limiting example of a softwarearchitecture, and it will be appreciated that many other architecturescan be implemented to facilitate the functionality described herein. Invarious embodiments, the software 1602 is implemented by hardware suchas a machine 1700 of FIG. 17 that includes processors 1110, memory 1130,and I/O components 1150. In this example architecture, the software 1602can be conceptualized as a stack of layers where each layer may providea particular functionality. For example, the software 1602 includeslayers such as an operating system 1604, libraries 1606, frameworks1608, and applications 1610. Operationally, the applications 1610 invokeAPI calls 1612 through the software stack and receive messages 1614 inresponse to the API calls 1612, consistent with some embodiments.

In various implementations, the operating system 1604 manages hardwareresources and provides common services. The operating system 1604includes, for example, a kernel 1620, services 1622, and drivers 1624.The kernel 1620 acts as an abstraction layer between the hardware andthe other software layers, consistent with some embodiments. Forexample, the kernel 1620 provides memory management, processormanagement (e.g., scheduling), component management, networking, andsecurity settings, among other functionality. The services 1622 canprovide other common services for the other software layers. The drivers1624 are responsible for controlling or interfacing with the underlyinghardware, according to some embodiments. For instance, the drivers 1624can include display drivers, camera drivers, BLUETOOTH® or BLUETOOTH™Low Energy drivers, flash memory drivers, serial communication drivers(e.g., USB drivers), WI-FI® drivers, audio drivers, power managementdrivers, and so forth.

In some embodiments, the libraries 1606 provide a low-level commoninfrastructure utilized by the applications 1610. The libraries 1606 caninclude system libraries 1630 (e.g., C standard library) that canprovide functions such as memory allocation functions, stringmanipulation functions, mathematic functions, and the like. In addition,the libraries 1606 can include API libraries 1632 such as medialibraries (e.g., libraries to support presentation and manipulation ofvarious media formats such as MPEG4, Advanced Video Coding (H.264 orAVC), MP3, AAC, AMR audio codec, PEG or JPG, or PNG), graphics libraries(e.g., an OpenGL framework used to render in 2D and 3D in a graphiccontent on a display), database libraries (e.g., SQLite to providevarious relational database functions), web libraries (e.g., WebKit toprovide web browsing functionality), and the like. The libraries 1606can also include a wide variety of other libraries 1634 to provide manyother APIs to the applications 1610.

The frameworks 1608 provide a high-level common infrastructure that canbe utilized by the applications 1610, according to some embodiments. Forexample, the frameworks 1608 provide various GUI functions, high-levelresource management, high-level location services, and so forth. Theframeworks 1608 can provide a broad spectrum of other APIs that can beutilized by the applications 1610, some of which may be specific to aparticular operating system or platform.

In an example embodiment, the applications 1610 include a homeapplication 1650, a contacts application 1652, a browser application1654, a book reader application 1656, a location application 1658, amedia application 1660, a messaging application 1662, a game application1664, and a broad assortment of other applications such as a third-partyapplication 1666. According to some embodiments, the applications 1610are programs that execute functions defined in the programs. Variousprogramming languages can be employed to create one or more of theapplications 1610, structured in a variety of manners, such asobject-oriented programming languages Objective-C, Java, or C++) orprocedural programming languages (e.g., C or assembly language). In aspecific example, the third-party application 1666 (e.g., an applicationdeveloped using the ANDROID™ or IOS™ SDK by an entity other than thevendor of the particular platform) may be mobile software running on amobile operating system such as IOS™, ANDROID™, WINDOWS® Phone, oranother mobile operating system. In this example, the third-partyapplication 1666 can invoke the API calls 1610 provided by the operatingsystem 1604 to facilitate functionality described herein.

FIG. 17 illustrates a diagrammatic representation of a machine 1700 inthe form of a computer system within which a set of instructions may beexecuted for causing the machine to perform any one or more of themethodologies discussed herein, according to an example embodiment.Specifically, FIG. 17 shows a diagrammatic representation of the machine1700 in the example form of a computer system, within which instructions1716 (e.g., software, a program, an application, an applet, an app, orother executable code) for causing the machine 1700 to perform any oneor more of the methodologies discussed herein may be executed.Additionally, or alternatively, the instructions 1716 may implement theoperations of the methods shown in FIGS. 12-14, or as elsewheredescribed herein.

The instructions 1716 transform the general, non-programmed machine 1700into a particular machine 1700 programmed to carry out the described andillustrated functions in the manner described. In alternativeembodiments, the machine 1700 operates as a standalone device or may becoupled (e.g., networked) to other machines. In a networked deployment,the machine 1700 may operate in the capacity of a server machine or aclient machine in a server-client network environment, or as a peermachine in a peer-to-peer (or distributed) network environment. Themachine 1700 may comprise, but not be limited to, a server computer, aclient computer, a personal computer (PC), a tablet computer, a laptopcomputer, a netbook, a set-top box (STB), a PDA, an entertainment mediasystem, a cellular telephone, a smart phone, a mobile device, a wearabledevice (e.g., a smart watch), a smart home device (e.g., a smartappliance), other smart devices, a web appliance, a network router, anetwork switch, a network bridge, or any machine capable of executingthe instructions 1716, sequentially or otherwise, that specify actionsto be taken by the machine 1700. Further, while only a single machine1700 is illustrated, the term “machine” shall also be taken to include acollection of machines 1700 that individually or jointly execute theinstructions 1716 to perform any one or more of the methodologiesdiscussed herein.

The machine 1700 may include processors 1710, memory 1730, and I/Ocomponents 1750, which may be configured to communicate with each othersuch as via a bus 1702. In an example embodiment, the processors 1710(e.g., a CPU, a Reduced Instruction Set Computing (RISC) processor, aComplex Instruction Set Computing (CISC) processor, a GPU, a DigitalSignal Processor (DSP), an ASIC, a Radio-Frequency Integrated Circuit(RFIC), another processor, or any suitable combination thereof) mayinclude, for example, a processor 1712 and a processor 1714 that mayexecute the instructions 1716. The term “processor” is intended toinclude multi-core processors that may comprise two or more independentprocessors (sometimes referred to as “cores”) that may executeinstructions contemporaneously. Although FIG. 17 shows multipleprocessors 1710, the machine 1700 may include a single processor with asingle core, a single processor with multiple cores (e.g., a multi-coreprocessor), multiple processors with a single core, multiple processorswith multiples cores, or any combination thereof.

The memory 1730 may include a main memory 1732, a static memory 1734,and a storage unit 1736, each accessible to the processors 1710 such asvia the bus 1702. The main memory 1730, the static memory 1734, andstorage unit 1736 store the instructions 1716 embodying any one or moreof the methodologies or functions described herein. The instructions1716 may also reside, completely or partially, within the main memory1732, within the static memory 1734, within the storage unit 1736,within at least one of the processors 1710 (e.g., within the processor'scache memory), or any suitable combination thereof, during executionthereof by the machine 1700.

The I/O components 1750 may include a wide variety of components toreceive input, provide output, produce output, transmit information,exchange information, capture measurements, and so on. The specific I/Ocomponents 1750 that are included in a particular machine will depend onthe type of machine. For example, portable machines such as mobilephones will likely include a touch input device or other such inputmechanisms, while a headless server machine will likely not include sucha touch input device. It will be appreciated that the I/O components1750 may include many other components that are not shown in FIG. 17.The I/O components 1750 are grouped according to functionality merelyfor simplifying the following discussion and the grouping is in no waylimiting. In various example embodiments, the I/O components 1750 mayinclude output components 1752 and input components 1754. The outputcomponents 1752 may include visual components (e.g., a display such as aplasma display panel (PDP), a light emitting diode (LED) display, aliquid crystal display (LCD), a projector, or a cathode ray tube (CRT)),acoustic components (e.g., speakers), haptic components (e.g., avibratory motor, resistance mechanisms), other signal generators, and soforth. The input components 1754 may include alphanumeric inputcomponents (e.g., a keyboard, a touch screen configured to receivealphanumeric input, a photo-optical keyboard, or other alphanumericinput components), point-based input components (e.g., a mouse, atouchpad, a trackball, a joystick, a motion sensor, or another pointinginstrument), tactile input components (e.g., a physical button, a touchscreen that provides location and/or force of touches or touch gestures,or other tactile input components), audio input components (e.g., amicrophone), and the like.

In further example embodiments, the I/O components 1750 may includebiometric components 1756, motion components 1758, environmentalcomponents 1760, or position components 1762, among a wide array ofother components. For example, the biometric components 1756 may includecomponents to detect expressions (e.g., hand expressions, facialexpressions, vocal expressions, body gestures, or eye tracking), measurebio signals (e.g., blood pressure, heart rate, body temperature,perspiration, or brain waves), identify a person (e.g., voiceidentification, retinal identification, facial identification,fingerprint identification, or electroencephalogram-basedidentification), and the like. The motion components 1758 may includeacceleration sensor components (e.g., accelerometer), gravitation sensorcomponents, rotation sensor components (e.g., gyroscope), and so forth.The environmental components 1760 may include, for example, illuminationsensor components (e.g., photometer), temperature sensor components(e.g., one or more thermometers that detect ambient temperature),humidity sensor components, pressure sensor components (e.g.,barometer), acoustic sensor components (e.g., one or more microphonesthat detect background noise), proximity sensor components (e.g.,infrared sensors that detect nearby objects), gas sensors (e.g., gasdetection sensors to detection concentrations of hazardous gases forsafety or to measure pollutants in the atmosphere), or other componentsthat may provide indications, measurements, or signals corresponding toa surrounding physical environment. The position components 1762 mayinclude location sensor components (e.g., a GPS receiver component),altitude sensor components (e.g., altimeters or barometers that detectair pressure from which altitude may be derived), orientation sensorcomponents (e.g., magnetometers), and the like.

Communication may be implemented using a wide variety of technologies.The I/O components 1750 may include communication components 1764operable to couple the machine 1700 to a network 1780 or devices 1770via a coupling 1782 and a coupling 1772, respectively. For example, thecommunication components 1764 may include a network interface componentor another suitable device to interface with the network 1780. Infurther examples, the communication components 1764 may include wiredcommunication components, wireless communication components, cellularcommunication components, Near Field Communication (NFC) components,Bluetooth® components (e.g., Bluetooth®Low Energy), Wi-Fi® components,and other communication components to provide communication via othermodalities. The devices 1770 may be another machine or any of a widevariety of peripheral devices (e.g., a peripheral device coupled via aUSB).

Moreover, the communication components 1764 may detect identifiers orinclude components operable to detect identifiers. For example, thecommunication components 1764 may include Radio Frequency Identification(RFID) tag reader components, NFC smart tag detection components,optical reader components (e.g., an optical sensor to detectone-dimensional bar codes such as Universal Product Code (UPC) bar code,multi-dimensional bar codes such as Quick Response (QR) code, Azteccode, Data Matrix, Dataglyph, MaxiCode, PDF417, Ultra Code, UCC RSS-2Dbar code, and other optical codes), or acoustic detection components(e.g., microphones to identify tagged audio signals). In addition, avariety of information may be derived via the communication components1764, such as location via IP geolocation, location via Wi-Fi® signaltriangulation, location via detecting an NFC beacon signal that mayindicate a particular location, and so forth.

The various memories (i.e., 1730, 1732, 1734, and/or memory of theprocessor(s) 1710) and/or storage unit 1736 may store one or more setsof instructions and data structures (e.g., software) embodying orutilized by any one or more of the methodologies or functions describedherein. These instructions (e.g., the instructions 1716), when executedby processor(s) 1710, cause various operations to implement thedisclosed embodiments.

As used herein, the terms “machine-storage medium,” “device-storagemedium,” “computer-storage medium” mean the same thing and may be usedinterchangeably in this disclosure. The terms refer to a single ormultiple storage devices and/or media (e.g., a centralized ordistributed database, and/or associated caches and servers) that storeexecutable instructions and/or data. The terms shall accordingly betaken to include, but not be limited to, solid-state memories, andoptical and magnetic media, including memory internal or external toprocessors. Specific examples of machine-storage media, computer-storagemedia and/or device-storage media include non-volatile memory, includingby way of example semiconductor memory devices, e.g., erasableprogrammable read-only memory (EPROM), electrically erasableprogrammable read-only memory (EEPROM), FPGA, and flash memory devices;magnetic disks such as internal hard disks and removable disks;magneto-optical disks; and CD-ROM and DVD-ROM disks. The terms“machine-storage media,” “computer-storage media,” and “device-storagemedia” specifically exclude carrier waves, modulated data signals, andother such media, at least some of which are covered under the term“signal medium” discussed below.

In various example embodiments, one or more portions of the network 1780may be an ad hoc network, an intranet, an extranet, a VPN, a LAN, aWLAN, a WAN, a WWAN, a MAN, the Internet, a portion of the Internet, aportion of the PSTN, a plain old telephone service (POTS) network, acellular telephone network, a wireless network, a Wi-Fi® network,another type of network, or a combination of two or more such networks.For example, the network 1780 or a portion of the network 1780 mayinclude a wireless or cellular network, and the coupling 1782 may be aCode Division Multiple Access (CDMA) connection, a Global System forMobile communications (GSM) connection, or another type of cellular orwireless coupling. In this example, the coupling 1782 may implement anyof a variety of types of data transfer technology, such as SingleCarrier Radio Transmission Technology (1xRTT), Evolution-Data Optimized(EVDO) technology, General Packet Radio Service (GPRS) technology,Enhanced Data rates for GSM Evolution (EDGE) technology, thirdGeneration Partnership Project (3GPP) including 3G, fourth generationwireless (4G) networks, Universal Mobile Telecommunications System(UMTS), High Speed Packet Access (HSPA), Worldwide Interoperability forMicrowave Access (WiMAX), Long Term Evolution (LTE) standard, othersdefined by various standard-setting organizations, other long rangeprotocols, or other data transfer technology.

The instructions 1716 may be transmitted or received over the network1780 using a transmission medium via a network interface device (e.g., anetwork interface component included in the communication components1764) and utilizing any one of a number of well-known transfer protocols(e.g., hypertext transfer protocol (HTTP)). Similarly, the instructions1716 may be transmitted or received using a transmission medium via thecoupling 1772 (e.g., a peer-to-peer coupling) to the devices 1770. Theterms “transmission medium” and “signal medium” mean the same thing andmay be used interchangeably in this disclosure. The terms “transmissionmedium” and “signal medium” shall be taken to include any intangiblemedium that is capable of storing, encoding, or carrying theinstructions 1716 for execution by the machine 1700, and includesdigital or analog communications signals or other intangible media tofacilitate communication of such software. Hence, the terms“transmission medium” and “signal medium” shall be taken to include anyform of modulated data signal, carrier wave, and so forth. The term“modulated data signal” means a signal that has one or more of itscharacteristics set or changed in such a matter as to encode informationin the signal.

The terms “machine-readable medium,” “computer-readable medium,” and“device-readable medium” mean the same thing and may be usedinterchangeably in this disclosure. The terms are defined to includeboth machine-storage media and transmission media. Thus, the termsinclude both storage devices/media and carrier waves/modulated datasignals.

Although an embodiment has been described with reference to specificexample embodiments, it will be evident that various modifications andchanges may be made to these embodiments without departing from thebroader spirit and scope of the invention. Accordingly, thespecification and drawings are to be regarded in an illustrative ratherthan a restrictive sense. The accompanying drawings that form a parthereof, show by way of illustration, and not of limitation, specificembodiments in which the subject matter may be practiced. Theembodiments illustrated are described in sufficient detail to enablethose skilled in the art to practice the teachings disclosed herein.Other embodiments may be utilized and derived therefrom, such thatstructural and logical substitutions and changes may be made withoutdeparting from the scope of this disclosure. This Detailed Description,therefore, is not to be taken in a limiting sense, and the scope ofvarious embodiments is defined only by the appended claims, along withthe full range of equivalents to which such claims are entitled.

Such embodiments of the inventive subject matter may be referred toherein, individually and/or collectively, by the term “invention” merelyfor convenience and without intending to voluntarily limit the scope ofthis application to any single invention or inventive concept if morethan one is in fact disclosed. Thus, although specific embodiments havebeen illustrated and described herein, it should be appreciated that anyarrangement calculated to achieve the same purpose may be substitutedfor the specific embodiments shown. This disclosure is intended to coverany and all adaptations or variations of various embodiments,Combinations of the above embodiments, and other embodiments notspecifically described herein, will be apparent to those of skill in theart upon reviewing the above description.

1. An anomaly and ransomware detection system, comprising: a storagedevice configured to store a base file or snapshot of a primary machine;and one or more processors in communication with the storage device anda production system, the one or more processors configured to performanomaly and ransomware detection operations including, at least: takinga first snapshot of a primary machine; storing the first snapshot in thestorage device; taking a second snapshot of the primary machine; storingthe second snapshot in the storage device; generating or accessing adiff FMD file including filesystem metadata based at least partially ona difference between the first and second snapshots; generating trainingdata based on the filesystem metadata; and training one or moremachine-learning models using the training data.
 2. The anomaly anddetection system of claim 1, wherein the storage device is a backupstorage device and the generated or accessed metadata is received from abackup system that includes the backup storage device.
 3. The anomalyand detection system of claim 1, wherein the anomaly and ransomwaredetection operations are performed without impacting the productionsystem.
 4. The anomaly and detection system of claim 3, wherein at leastsome of the anomaly and ransomware detection operations are offloaded toa cloud-based software-as-a-service platform.
 5. The anomaly anddetection system of claim 1, wherein the one or more machine-learningmodels includes an anomaly model and/or an encryption model.
 6. Theanomaly and detection system of claim 1, wherein the training of the oneor more machine-learning models is based on training data derived solelyon the snapshot-based metadata.
 7. A computer-implemented method at ananomaly and detection system, the system including one or moreprocessors in communication with a storage device and a productionsystem, the one or more processors configured to perform anomaly andransomware detection operations including, at least: taking a firstsnapshot of a primary machine; storing the first snapshot in the storagedevice; taking a second snapshot of the primary machine; storing thesecond snapshot in the storage device; generating or accessing a diffFMD file including filesystem metadata based at least partially on adifference between the first and second snapshots; generating trainingdata based on the filesystem metadata; and training one or moremachine-learning models using the training data.
 8. The method of claim7, wherein the storage device is a backup storage device and thegenerated or accessed metadata is received from a backup system thatincludes the backup storage device.
 9. The method of claim 7, whereinthe anomaly and ransomware detection operations are performed withoutimpacting the production system.
 10. The method of claim 9, wherein atleast some of the anomaly and ransomware detection operations areoffloaded to a cloud-based software-as-a-service platform.
 11. Themethod of claim 7, wherein the one or more machine-learning modelsincludes an anomaly model and/or an encryption model.
 12. The method ofclaim 7, wherein the training of the one or more machine-learning modelsis based on training data derived solely on the snapshot-based metadata.13. A non-transitory, machine-readable medium storing instructionswhich, when read by a machine, cause the machine to perform operationscomprising, at least: taking a first snapshot of a primary machine;storing the first snapshot in a storage device; taking a second snapshotof the primary machine; storing the second snapshot in the storagedevice; generating or accessing a diff FMD file including filesystemmetadata based at least partially on a difference between the first andsecond snapshots; generating training data based on the filesystemmetadata; and training one or more machine-learning models using thetraining data.
 14. The medium of claim 13, wherein the storage device isa backup storage device and the generated or accessed metadata isreceived from a backup system that includes the backup storage device.15. The medium of claim
 13. wherein the anomaly and ransomware detectionoperations are performed without impacting the production system. 16.The medium of claim 9, wherein at least some of the anomaly andransomware detection operations are offloaded to a cloud-basedsoftware-as-a-service platform.
 17. The medium of claim 16, wherein theone or more machine-learning models includes an anomaly model and/or anencryption model.
 18. The medium of claim 16, wherein the training ofthe one or more machine-learning models is based on training dataderived solely on the snapshot-based metadata.